Volatility3 core commands
Last updated
Was this helpful?
Last updated
Was this helpful?
Assuming you're given a memory sample and it's likely from a Windows host, but have minimal information. Here's how you identify basic Windows host information using volatility.
Sometimes volatility can output/display a lot of information, and it's not necessarily easily readable. You can use the -r (render) flag to generate output in pretty (tabulated), json, csv, and quick. More information here
I typically export results as csv if I want to import it into a timeline, or filter it in Excel, etc.
Display process information
If you want to display the same process information but include highlighted parent/child processes (as a tree)
Dump executables and associated DLLs (you need the process ID/PID first)